Thanks for the info. Great info on pam_ldap. I was not aware of that
man page.
No luck after inserting the pam_ldap module "after dtlogin-sunray
password" or "dtsession-sunray" section. The Sun Ray Server never looks
for objectclass=shadow during ldap search.
Any ideas? Thanks.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lars Tunkrans
Sent: Thursday, September 18, 2008 1:38 PM
To: SunRay-Users mailing list
Subject: Re: [SunRay-Users] FW: SunRay-Users ldap authentication failing
Hi
Your problem is that you have not implemented LDAP Pam
modules in the
" dtlogin-sunray password " section. nor in the " dtsession-sunray
" section
The Manual for Pam_ldap is rather explicit in what you need to do.
For each of your Authentication - types you need to implement
all of the below
Example 1 from the pam_ldap(5) manual page.
Then again I have numerous times pointed out that there is need
for a
/etc/PAM_LDAP.CONF example file to be included in the Solaris
distribution
and the SRS distribution.
Example 1 Using pam_ldap With Authentication
The following is a configuration for the login service when
using pam_ldap. The service name login can be substituted
for any other authentication service such as dtlogin or su.
Lines that begin with the # symbol are comments and are
ignored.
# Authentication management for login service is stacked.
# If pam_unix_auth succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_auth.so.1 to ignore the LDAP users.
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_ldap.so.1
Example 2 Using pam_ldap With Account Management
The following is a configuration for account management when
using pam_ldap. Lines that begin with the # symbol are com-
ments and are ignored.
# Account management for all services is stacked
# If pam_unix_account succeeds, pam_ldap is not invoked.
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The "server_policy" option is used
# to tell pam_unix_account.so.1 to ignore the LDAP users.
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1
server_policy
other account required pam_ldap.so.1
SunOS 5.11 Last change: 21 Dec 2005 4
Standards, Environments, and Macros pam_ldap(5)
Example 3 Using pam_authtok_store With Password Management
For Both Local and LDAP Accounts
The following is a configuration for password management
when using pam_authtok_store. Lines that begin with the #
symbol are comments and are ignored.
# Password management (authentication)
# The control flag "binding" provides a local overriding
# remote (LDAP) control. The server_policy option is used
# to tell pam_passwd_auth.so.1 to ignore the LDAP users.
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
# Password management (updates)
# This updates passwords stored both in the local /etc
# files and in the LDAP directory. The "server_policy"
# option is used to tell pam_authtok_store to
# follow the LDAP server's policy when updating
# passwords stored in the LDAP directory
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
Propst, Clinton W CTR USAF AMC 375 CSPTS/SCO skrev:
Hi All,
I have configured SRSS (4.0 patch 127553-02) for ldap using
"ldapclient
init ...". SSH and su work fine using ldap for authentication, but
Sun
Ray users are unable to login. Receive "Login incorrect". Below is
the
pam.conf and ldap log. We are using Sun Java Directory Server 6.3.
Another error (attached below) that is related to ldap occurs during
reboot. The Sun Ray services cannot bind to the Sun Ray Data Store.
Can I configure the Sun Ray server as an ldap client or will it mess
up
the Sun Ray Data Store connection?
Any and all help greatly appreciated. Thanks in advance.
Clinton
Pam.conf
# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
property=username
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1
prompt
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
clearuser
dtlogin-SunRay auth requisite pam_authtok_get.so.1
dtlogin-SunRay auth required pam_dhkeys.so.1
dtlogin-SunRay auth required pam_unix_cred.so.1
dtlogin-SunRay auth binding pam_unix_auth.so.1 server_policy
dtlogin-SunRay auth required pam_ldap.so.1
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay account requisite pam_roles.so.1
dtlogin-SunRay account binding pam_unix_account.so.1 server_policy
dtlogin-SunRay account required pam_ldap.so.1
dtlogin-SunRay session required pam_unix_session.so.1
dtlogin-SunRay password required pam_dhkeys.so.1
dtlogin-SunRay password requisite pam_authtok_get.so.1
dtlogin-SunRay password requisite pam_authtok_check.so.1
dtlogin-SunRay password required pam_authtok_store.so.1
# added to dtsession-SunRay by SunRay Server Software --
dtsession-SunRay
dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
syncondisplay
dtsession-SunRay auth requisite pam_authtok_get.so.1
dtsession-SunRay auth required pam_dhkeys.so.1
dtsession-SunRay auth required pam_unix_cred.so.1
dtsession-SunRay auth sufficient pam_unix_auth.so.1
dtsession-SunRay account requisite pam_roles.so.1
dtsession-SunRay account sufficient pam_unix_account.so.1
dtsession-SunRay session required pam_unix_session.so.1
dtsession-SunRay password required pam_dhkeys.so.1
dtsession-SunRay password requisite pam_authtok_get.so.1
dtsession-SunRay password requisite pam_authtok_check.so.1
dtsession-SunRay password required pam_authtok_store.so.1
Sun Java Directory Server 6.3 log:
[11/Sep/2008:18:40:49 +0000] conn=1372 op=-1 msgId=-1 - fd=69 slot=69
LDAP connection from 134.221.19.22:33063 to 134.221.19.36
[11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - BIND
dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"
method=128 version=3
[11/Sep/2008:18:40:49 +0000] conn=1372 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0
dn="cn=proxyagent,ou=profile,dc=users,dc=market,dc=hr,dc=usda,dc=gov"
[11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - SRCH
base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
filter="(&(objectClass=posixAccount)(uid=clinton.propst))" attrs=ALL
[11/Sep/2008:18:40:49 +0000] conn=1372 op=1 msgId=2 - RESULT err=0
tag=101 nentries=1 etime=0
[11/Sep/2008:18:40:49 +0000] conn=1373 op=-1 msgId=-1 - fd=71 slot=71
LDAP connection from 134.221.19.22:33064 to 134.221.19.36
[11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - BIND
dn="uid=clinton.propst,ou=People,dc=users,dc=market,dc=hr,dc=usda,dc=gov
" method=128 version=3
[11/Sep/2008:18:40:49 +0000] conn=1373 op=0 msgId=1 - RESULT err=0
tag=97 nentries=0 etime=0
dn="uid=clinton.propst,ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov
"
[11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - SRCH
base="ou=people,dc=users,dc=market,dc=hr,dc=usda,dc=gov" scope=2
filter="(&(objectClass=posixAccount)(uidNumber=1201))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[11/Sep/2008:18:40:52 +0000] conn=1020 op=507 msgId=508 - RESULT err=0
tag=101 nentries=1 etime=0
[11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=3 - UNBIND
[11/Sep/2008:18:40:53 +0000] conn=1372 op=2 msgId=-1 - closing from
134.221.19.22:33063 - U1 - Connection closed by unbind client -
[11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=2 - UNBIND
[11/Sep/2008:18:40:53 +0000] conn=1373 op=1 msgId=-1 - closing from
134.221.19.22:33064 - U1 - Connection closed by unbind client -
[11/Sep/2008:18:40:53 +0000] conn=1372 op=-1 msgId=-1 - closed.
[11/Sep/2008:18:40:54 +0000] conn=1373 op=-1 msgId=-1 - closed.
Sun Ray Server /var/adm/messages during boot with ldap client
configured:
Sep 11 13:38:35 sraysvr rpcbind: [ID 564983 daemon.error] rpcbind
terminating on signal.
Sep 11 13:38:40 sraysvr utdevadm[19113]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server
Sep 11 13:40:40 sraysvr utdevadm[1043]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't contact
LDAP server
Sep 11 13:40:40 sraysvr utpulld[997]: [ID 224068 daemon.error] Error:
ldap_sasl_bind (host localhost, DN cn=admin,o=utdata) returned: Can't
contact LDAP server
Sep 11 13:40:40 sraysvr utpulld[997]: [ID 254794 daemon.error] Failed
to
bind to cn=admin,o=utdata on local utdsd: Can't contact LDAP server
Sep 11 13:40:44 sraysvr utglpolicy[1151]: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server
Sep 11 13:40:49 sraysvr utauthd: [ID 702911 user.info]
open_connection(): Could not bind to DS server sraysvr - Can't connect
to the LDAP server
Sep 11 13:41:11 sraysvr dtlogin[1197]: [ID 293258 user.error]
libsldap:
Status: 49 Mesg: openConnection: simple bind failed - Invalid
credentials
Sep 11 15:27:02 sraysvr ldapclient[9418]: [ID 293258 user.warning]
libsldap: Status: 0 Mesg: NULL or invalid proxy bind DN
Sep 11 15:28:07 sraysvr ldapclient[9496]: [ID 293258 user.warning]
libsldap: Status: 0 Mesg: NULL or invalid proxy bind DN
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
